Stolen Credentials and Stolen Press Releases Lead to Insider Trading

Nine people were charged for hacking, securities and wire fraud, as well as insider trading last Tuesday. Over a period of five years, hackers breached press release syndication websites, including Business Wire, PR Newswire and Marketwired and stole more than 150,000 press releases that revealed information on publicly traded companies.

Over 30 companies were targeted, including Bank of America, Boeing, Hewlett Packard, Delta, Panera Bread, Clorox and more. The press releases contained information on company financial performance, quarterly earnings, year-end earnings and news about potential mergers or acquisitions - all key information that could influence stocks.

The NYTimes.com reported that “rogue stock traders” would use the stolen information to trade on before the press releases were made public. These traders paid the hackers a flat fee or percentage of the profits they made. Traders and hackers alike shared the profits of $100 million made by illegal insider trading.

Stolen Credentials, Brute-Force & SQL Injections

According to the affidavit, the hackers “shared login credentials to the brokerage accounts with each other and other co-conspirators.” That made it easier for them to trade and transfer payments.

But how did the hackers steal press releases? The hackers used a series of SQL injection attacks, according to the court affidavit, and then installed reverse shells onto press release distribution company networks, which they used to facilitate stolen data.

The hackers also “launched an intrusion” into the networks of Marketwired, which allowed them to steal contact and credential information for the company’s employees, clients and business partners. Who knows what “launched an intrusion” actually means - but they were able to impersonate legitimate users by using their credentials.

The hackers also brute forced (cracked passwords using an automated password-guessing tool) the login credentials of approximately 15 Business Wire employees. Officials found lists of hundreds of usernames and passwords that were marked as working, as well as with the type of access the accounts offered - either administrator or regular user.

Phishing for Biotech Info for Insider Trading

This isn’t the first stock-related hacking event. Late last year, I wrote about a report from FireEye that found a group of malicious hackers launching phishing attacks against publicly traded biotechnology companies. Their goal was to steal login credentials from top-level executives, researchers, security officers and legal counsel.

These attackers targeted the healthcare industry since their stocks tend to fluctuate significantly based on public announcements of clinical trial results, regulatory decisions and legal issues. The pharma sector also provides insider trading information, such as drug development, insurance reimbursement rates and pending legal cases.

Phishing for Stock Cash Money, Too

Brokerage firms have also been targeted by hackers, as they have access to a large clientele of stockbrokers and large sums of money. They get phished too, and often - the Financial Industry Regulatory Authority surveyed broker-dealers and investment advisors and found that about half of them received spam emails with requests to transfer client funds. Another 26 percent report losses of $5k+ due to fraudulent emails.

Back in 2012, a hacker accessed broker-dealer firm accounts and traded stocks and securities in order to manipulate market prices. The hacker then bought back or sold stocks at artificial prices, making a profit on transactions, according to ComputerWorldUK.com.

With these types of attacks, providing stronger access controls could help stop attackers that used stolen credentials and password-guessing tools to access press release distribution websites. Two-factor authentication could have reduced the success of the hackers that logged into the site using stolen passwords. And geo-impossible data could possibly have shown that a hacker was logging into a user’s account in another state, as well as at odd hours.